wrangler secret put: Worker Secrets in CI
wrangler secret put NAME stores an encrypted secret that a Worker reads at runtime, prompting for the value unless you pipe it in.
Secrets are set out of band from deploys. In CI you pipe the value on stdin so the normally interactive prompt never blocks.
What it does
wrangler secret put NAME encrypts a value and binds it to the Worker as an environment secret available via the runtime env. wrangler secret list shows the names (not values) and wrangler secret delete removes one. --env targets a named environment.
Common usage
# pipe the value so it does not prompt
echo "$API_KEY" | wrangler secret put API_KEY
# scope to an environment
echo "$API_KEY" | wrangler secret put API_KEY --env production
# bulk from a JSON object of name/value pairs
wrangler secret bulk secrets.jsonOptions
| Command / flag | What it does |
|---|---|
| secret put NAME | Create or update an encrypted secret |
| secret list | List secret names for the Worker |
| secret delete NAME | Remove a secret |
| secret bulk <file> | Upload many secrets from a JSON file |
| --env <name> | Target a wrangler.toml environment |
In CI
Always pipe the value via echo "$VAR" | wrangler secret put NAME; with no stdin the command tries to prompt and fails on a runner. Use secret bulk to set several at once and keep the value out of the process list (avoid putting secrets directly on the command line).
Common errors in CI
"Authentication error [code: 10000]" means a missing or under-scoped CLOUDFLARE_API_TOKEN. "Error: Failed to automatically retrieve account IDs ... in non-interactive mode" means CLOUDFLARE_ACCOUNT_ID is unset. A hang on secret put means no value was piped in.